RE: Funky acl question

From: Djerk Geurts (djerk@djerk.nl)
Date: Mon Jul 09 2007 - 06:52:20 ART

• Next message: Djerk Geurts: "RE: Funky acl question"
• Previous message: Jeff Mullan: "SP LAB DATES"
• Maybe in reply to: Eric Dobyns: "Funky acl question"
• Next in thread: Djerk Geurts: "RE: Funky acl question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Many wrong answers, it's a trick question two lines isn't enough.

> Take these subnets:
>
> 10.0.5.0/24
> 10.0.10.0/24
> 10.0.12.0/24
> 10.0.13.0/24
> 10.0.15.0/24
>
> And write two-line ACL to permit them without permitting 10.0.6.0/24,
> 10.0.7.0/24..and the other subnets included in the range.

There are several options to choose from with least number of lines:

 permit 10.0.5.0 0.0.8.255 (matches .5 and .13)
 permit 10.0.10.0 0.0.0.255 (.10)
 permit 10.0.12.0 0.0.0.255 (.12)
 permit 10.0.15.0 0.0.0.255 (.15)
 (implicit deny)
Other variations of the above would match .12 and .13 or .13 and .15 in one
line, this does not reduce the number of lines as they all match .13.

A few pieces of advice:
- Write the octets out as binary
- Practice binary to decimal (and back) conversion untill you're sick of it
and keep yourself sharp for the lab, it will save you lots of time. This
stuff can be a real time consumer if you're caught off-guard.
- Realise that a two bit mask will match 4 addresses, 3 bits masks 8
addresses etc

***

Evaluating the give answers so far:

#1
 Permit 10.0.0.0 0.0.15.0
 Deny any
This allows the network addresses 10.0.0.0 - 10.0.15.0, it was stated that
the other networks should be denied. Also, this acl doesn't allow the hosts
on those networks. (you can ask the proctor if the implicit deny should be
seen or not...)

#2a
 permit 10.0.10.0 0.0.5.255 (.10 .11 .14 .15)
 permit 10.0.5.0 0.0.8.255 (.5 .13)
 Permit 10.0.12.0 0.0.0.0 (.12 network address only)
 (implicit deny)
This permits network 10.0.11.0 (as a host) and network 10.0.14.0 which
wasn't asked for.

#2b
 permit 10.0.10.0 0.0.5.255 (.10 .11 .14 .15)
 permit 10.0.5.0 0.0.10.255 (.5 .7 .13 .15)
 Permit 10.0.12.0 0.0.0.0 (.12 network address only)
 (implicit deny)
Thame commects as for #2a, but additionally the unasked network 10.0.7.0 is
permitted

#3a
 Deny 10.0.0.0 0.0.6.0 (.0 .2 .4 .6 network address only)
 Permit 10.0.0.0 0.0.8.0 (.0 .8 network address only)
 (implicit deny)
The deny doesn't block any traffic only the network address. Same for the
Permit, next to that two networks are permitted that aren't asked for.

#3b
 Deny 10.0.0.0 0.0.6.0 (.0 .2 .4 .6 network address only)
 permit 10.0.5.0 0.0.15.255 (allow .0 through to .15)
 (implicit deny)
The deny doesn't block any traffic only the network address. The result of
this acl is that .1 .3 .5 .7 through to .15 are allowed, this is not what
was asked for.

• Next message: Djerk Geurts: "RE: Funky acl question"
• Previous message: Jeff Mullan: "SP LAB DATES"
• Maybe in reply to: Eric Dobyns: "Funky acl question"
• Next in thread: Djerk Geurts: "RE: Funky acl question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART